diff options
| -rwxr-xr-x | installer/archangel | 4 | ||||
| -rw-r--r-- | installer/lib/common.sh | 18 | ||||
| -rw-r--r-- | tests/unit/test_common.bats | 73 |
3 files changed, 92 insertions, 3 deletions
diff --git a/installer/archangel b/installer/archangel index 64718da..e04b8d9 100755 --- a/installer/archangel +++ b/installer/archangel @@ -853,9 +853,7 @@ configure_ssh() { if [[ "$ENABLE_SSH" == "yes" ]]; then step "Configuring SSH" - # Ensure sshd config allows root login with password - sed -i 's/^#PermitRootLogin.*/PermitRootLogin yes/' /mnt/etc/ssh/sshd_config - sed -i 's/^PermitRootLogin.*/PermitRootLogin yes/' /mnt/etc/ssh/sshd_config + enable_sshd_root_login /mnt/etc/ssh/sshd_config # Enable sshd service arch-chroot /mnt systemctl enable sshd diff --git a/installer/lib/common.sh b/installer/lib/common.sh index d375a9c..3040799 100644 --- a/installer/lib/common.sh +++ b/installer/lib/common.sh @@ -284,3 +284,21 @@ list_available_disks() { done printf '%s\n' "${disks[@]}" } + +############################# +# SSH Configuration +############################# + +# Ensure the given sshd_config file ends up with `PermitRootLogin yes`. +# Combines the commented (#PermitRootLogin) and uncommented +# (PermitRootLogin) replacements into one sed invocation, then verifies +# the directive is present. Errors out if neither pattern matched, since +# silently appending would mask a corrupted starting file. +enable_sshd_root_login() { + local config_file="$1" + sed -i -e 's/^#PermitRootLogin.*/PermitRootLogin yes/' \ + -e 's/^PermitRootLogin.*/PermitRootLogin yes/' \ + "$config_file" + grep -q '^PermitRootLogin yes$' "$config_file" \ + || error "PermitRootLogin not set in $config_file (no matching line to replace)" +} diff --git a/tests/unit/test_common.bats b/tests/unit/test_common.bats index 4d58bd9..9d267ab 100644 --- a/tests/unit/test_common.bats +++ b/tests/unit/test_common.bats @@ -332,3 +332,76 @@ Boot0001* ZFSBootMenu" @test "EFI_DIR is defined and equals /mnt/efi" { [ "$EFI_DIR" = "/mnt/efi" ] } + +############################# +# enable_sshd_root_login +############################# +# enable_sshd_root_login takes an sshd_config path and ensures the +# file ends up with `PermitRootLogin yes`. It must error loudly if +# neither the commented (#PermitRootLogin) nor uncommented +# (PermitRootLogin) form is present, since silently appending would +# mask a corrupted starting file. + +@test "enable_sshd_root_login uncomments stock Arch sshd_config line" { + local f + f=$(mktemp) + printf '%s\n' '#PermitRootLogin prohibit-password' > "$f" + + enable_sshd_root_login "$f" + + grep -q '^PermitRootLogin yes$' "$f" + rm -f "$f" +} + +@test "enable_sshd_root_login flips PermitRootLogin no to yes" { + local f + f=$(mktemp) + printf '%s\n' 'PermitRootLogin no' > "$f" + + enable_sshd_root_login "$f" + + grep -q '^PermitRootLogin yes$' "$f" + ! grep -q '^PermitRootLogin no$' "$f" + rm -f "$f" +} + +@test "enable_sshd_root_login is idempotent on PermitRootLogin yes" { + local f + f=$(mktemp) + printf '%s\n' 'PermitRootLogin yes' > "$f" + + enable_sshd_root_login "$f" + + [ "$(grep -c '^PermitRootLogin yes$' "$f")" -eq 1 ] + rm -f "$f" +} + +@test "enable_sshd_root_login replaces all matching lines (mixed commented + uncommented)" { + local f + f=$(mktemp) + printf '%s\n' \ + '#PermitRootLogin prohibit-password' \ + 'PermitRootLogin no' \ + 'OtherOption value' \ + '#PermitRootLogin without-password' > "$f" + + enable_sshd_root_login "$f" + + [ "$(grep -c '^PermitRootLogin yes$' "$f")" -eq 3 ] + ! grep -q '^PermitRootLogin no$' "$f" + grep -q '^OtherOption value$' "$f" + rm -f "$f" +} + +@test "enable_sshd_root_login errors when no PermitRootLogin line is present" { + local f + f=$(mktemp) + printf '%s\n' 'OnlyOtherOptions yes' > "$f" + + error() { echo "ERROR: $*" >&2; return 1; } + run enable_sshd_root_login "$f" + [ "$status" -ne 0 ] + [[ "$output" == *"PermitRootLogin"* ]] + ! grep -q 'PermitRootLogin' "$f" + rm -f "$f" +} |